Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malformed OSCORE options or responses during OSCORE negotiation to trigger out-of-bounds reads during CBOR parsing and potentially cause heap buffer overflow writes through integer wraparound in allocation size computation.
AnalysisAI
Out-of-bounds read in libcoap's OSCORE CBOR parsing can escalate to heap buffer overflow, enabling remote unauthenticated attackers to trigger memory corruption via malformed CoAP packets. Affects libcoap versions prior to v4.3.5b. The vulnerability stems from release builds removing assert() bounds checks in get_byte_inc(), allowing integer wraparound during allocation size computation. No public exploit identified at time of analysis, but proof-of-concept is straightforward given the specific code path and commit fix available.
Technical ContextAI
libcoap is a C implementation of the Constrained Application Protocol (CoAP, RFC 7252) used in IoT and resource-constrained devices. OSCORE (Object Security for Constrained RESTful Environments, RFC 8613) provides end-to-end encryption for CoAP messages using CBOR (Concise Binary Object Representation) encoding. The vulnerability resides in src/oscore/oscore_cbor.c's get_byte_inc() function, which performs buffer access during OSCORE Appendix B.2 CBOR unwrapping. The root cause (CWE-125: out-of-bounds read) occurs because bounds validation relies exclusively on assert() statements that are compiled out when NDEBUG is defined in production builds. This allows attackers to supply CBOR-encoded payloads that cause reads beyond allocated buffer boundaries. The secondary impact involves integer wraparound during subsequent allocation size calculations based on attacker-controlled length fields, potentially converting the read primitive into heap buffer overflow writes. Affected product: cpe:2.3:a:libcoap:libcoap:*:*:*:*:*:*:*:* versions below v4.3.5b.
RemediationAI
Upgrade libcoap to version v4.3.5b or later, which introduces proper bounds checking independent of assert() macros. The fix is available in upstream commit b7847c4dbb0dbee7c90b09a673d4cae256f03718 at https://github.com/obgm/libcoap/commit/b7847c4dbb0dbee7c90b09a673d4cae256f03718. Organizations maintaining custom libcoap builds should apply this commit and recompile with OSCORE support. If immediate patching is not feasible, implement network-level mitigations: restrict CoAP endpoint access to trusted networks only via firewall rules blocking UDP port 5684 (CoAPS) and 5683 (CoAP) from untrusted sources, or disable OSCORE support at compile time if the encryption feature is not required (trade-off: loss of end-to-end CoAP security). Application-level workaround: implement input validation to reject OSCORE options exceeding expected size thresholds before they reach libcoap parsing routines, though this requires deep protocol knowledge and may not catch all malformed inputs triggering the integer wraparound path. Note that disabling OSCORE eliminates this specific attack surface but removes message-level confidentiality and integrity protections.
A vulnerability was found in obgm libcoap 4.3.4. Rated high severity (CVSS 7.8), this vulnerability is low attack comple
An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause undefined behavior via a sequence of messages leadin
Buffer Overflow vulnerability in coap_send function in libcoap library 4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 al
libcoap 4.3.1 contains a buffer over-read via the function coap_parse_oscore_conf_mem at coap_oscore.c. Rated medium sev
Availability loss and potential remote code execution in libcoap (versions up to and including 4.3.5, before commit 30db
A memory disclosure vulnerability exists in libcoap's OSCORE configuration parser in libcoap before release-4.3.5-patche
Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack
Array index error in tls_verify_call_back() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to cause
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack
NULL pointer dereference in coap_dtls_generate_cookie() in src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attack
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23535